News

Twitter Attack May Have Its Origins in Malware

• By Jabulani Leffall
• August 07, 2009

System administrators might be more pleased than dismayed when a social networking site such as Twitter locks out millions of users.

After all, conventional wisdom at companies suggests that no one except product marketers should be "tweeting" anyway. However, Thursday's denial-of-service (DoS) attack hitting Twitter is still noteworthy for IT security pros and administrators. Social networking appears here to stay, but such Web sites can be a launch pad for malware, phishing and spoofing attacks.

A Twitter blog indicated late on Thursday that its social networking site had faced a "massive, globally distributed attack," but that the service is mostly restored.

The Twitter DoS attack is said to have originated in Russia or the former Soviet republic of Georgia. It locked up a site that may support around 45 million users. The Twitter service promises a near real-time medium of information exchange, and when information moves that fast, so can malicious code.

"The Twitter outage was yet another case of growing pains with Twitter infrastructure simply not being able to keep up with the load associated with their rapid growth," said Paul Henry, security and forensics analyst at Lumension. "The onslaught of bogus messages that are directing users to malicious pages may in fact be overwhelming Twitter."

Meanwhile, some organizations are saying "No" to the social networking experiment. The U.S. Marine Corp. this week banned marines from using Twitter for a year, as well as Facebook.

The military service explained in a statement that social networking sites are generally "a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries." The U.S. Department of Defense is also putting social media technology under review.

Currently, a new version of the Koobface malware has been found in the wild that is using both Twitter and Facebook messages to lure potential victims to fake antivirus Web pages.

Twitter last month suspended several user accounts plagued by Koobface. Once a user is logged on to a social networking site, Koobface deploys fake messages, enticing a user's friend or follower to click on a link in the fake message. It's a textbook example of phishing.

The heavy use of URL-shortening on Twitter has made it nearly impossible to identify the domain. Consequently, it's easier to pass off a corrupt link as a trusted one through a Twitter message.

Twitter recently started filtering URLs to cut back on the amount of malware that users experience. However, the motivation behind Thursday's DoS attack might be inspired more by spite than revenge, according to Randy Abrams, director of technical education at security firm ESET.

"Twitter's actions must have hurt the bottom line of some criminal organizations, but there are still other ways thieves can make money and they make none at all if Twitter is down," Abrams said. "This leads to the thought that either it is a revenge attack by a disgruntled idiot or an attempt to gain fame by a hacker with more technical skills than brains."

Whatever the reason for the attack, it safe to say that as social networking grows in popularity and corporate use, so too will it grow as a vector for malicious activity that's just one "tweet" away.